---
title: Introduction
course: intro_pentest
section: "Web-Based Exploitation"
layout: lesson
---

Now that you have a good understanding of common network-based attacks, it’s
important to take some time to discuss the basics of web-based exploitation. The
web is certainly one of the most common attack vectors available today because
everything is connected to the Internet. Nearly every company today has a web
presence, and more often than not, that web presence is dynamic and user-driven.
Previous-generation websites were simple static pages and coded mostly in HTML.
By contrast, many of today’s websites include complex coding with backend
database-driven transactions and multiple layers of authentication. Home
computers, phones, appliances and of course, systems that belong to our targets
are all connected to the Internet.

As our dependence and reliance on the web continues to expand, so does the need
to understand how this attack vector can be exploited.

A few years back, people started using words like “Web 2.0” and “cloud-based
computing” to describe a shift in the way we interact with our systems and
programs. Simply put, these terms are a change in the way computer programs are
designed, run, accessed and stored. Regardless of what words are used to
describe it, the truth of the matter is that the Internet is becoming more and
more “executable”. It used to be that programs like Microsoft Office had to be
installed locally on your physical computer. Now this same function can be
accessed online in the form of Google Docs and many other cloud computing
services. In many instances, there’s no local installation and your data, your
programs and your information reside on the server in some physically distant
location.

As mentioned earlier, companies are also leveraging the power of an executable
web. Online banking, shopping and record-keeping are now common place.
Everything is interconnected. In many ways, the Internet is like the new “wild
west”. Just when it seemed like we were making true progress and fundamental
changes to the way we program and architect system software, along comes the
Internet and gives us a new way to relearn and repeat many of the security
lessons from the past. As people rush to push everything to the web and systems
are mashed up and deployed with worldwide accessibility, new attacks are
developed and distributed at a furious pace.

It’s important that every aspiring hacker and penetration tester understand at
least the basics of the web-exploitation.
